We provide a series of HTTP callbacks that allow you to notify users when funds have been deposited and when they become available.
When callbacks are sent
Callbacks are sent whenever a transactional event occurs that will affect the wallet's balance. Examples include:
- Incoming pending transaction
- Pending transaction confirmed
- Outgoing transaction
You may receive two callbacks for a single transaction. This is especially true for transactions on the blockchain. In these cases, you would receive one callback when the transaction is first observed and one callback once the transaction is confirmed.
Callback Acceptance and Retries
Your system should respond to the callback request with a 200 response. We only attempt to send the request once, but we may introduce automatic retries in the future. We can manually resend callbacks upon request.
Payload
The callback payload will be a JSON representation of the transaction that has caused the callback to trigger. An example of such a transaction can be found below:
{
"id": "4vofvbjjvo4g5cn03ibcosja5mks3o22opskgmicdh",
"source": "bitcoin:EXTERNAL",
"dest": "wallet:2ef8mls9v9ovvqimiv2jmn0d33nf30dt",
"currency": "LTC",
"amount": 0.0001,
"status": "CONFIRMED",
"createdAt": 1436996049910,
"confirmedAt": 1436996049910,
"invalidatedAt": null,
"message": "One Banana nut muffin please!",
"equivalencies": {
"EUR": 0.03,
"BRL": 0.1,
"AUD": 0.04,
"USD": 0.03,
"GBP": 0.02
},
"senderId": null,
"senderProvidedId": null,
"reversedBy": null,
"relatedTx": null,
"blockchainTx": null,
"rates": null,
"sourceName": "EXTERNAL",
"sourceIcon": null,
"destName": "[email protected]",
"destIcon": null
}
Security Signature
In order to prevent callback spoofing, we provide a signature with the callback passed back through the HTTP header X-API-Signature.
This signature is a SHA256 HMAC signature of the JSON body signed with the merchant's secret key. To the right you can find example implementations of the signature.
Note: It's important to verify the signature in the callback, otherwise it is possible for the request to be spoofed by an external attacker.